Your Yello Ring Road To Success
GOOGLE LOGIN MY ADS MY SHOP

Strengthen Your Password Policy With GDPR Compliance

GDPR complianceGDPR compliance

A solid password policy is the first line of defense for your
corporate network. Protecting your systems from unauthorized users
may sound easy on the surface, but it can actually be quite
complicated. You have to balance password security with usability,
while also following various regulatory requirements.

Companies in the EU must have password policies that are
compliant with the General Data Protection Regulation (GDPR). Even
if your company isn’t based in the EU, these requirements apply if
you have employees or customers residing in the EU or customers
purchasing there.

In this post, we will look at GDPR requirements for passwords
and provide practical tips on how to design your password policy.
Remember, even if GDPR isn’t required for you now, the fundamentals
of a data protection regulation plan can help strengthen your
organization’s security.

Password requirements for GDPR compliance

You may be surprised to discover that the GDPR laws do not
actually mention password policies at all. If you simply read the
text, you may initially believe that a company can implement any
password policy, without having any concerns over GDPR
compliance.

However, the GDPR laws will impact password policy under the
umbrella of prevention.

Preventing unauthorized access to information

Any information that a company gathers from customers or other
sources needs to be properly protected under GDPR compliance. This
means having strong security measures to prevent hackers, and other
unauthorized individuals, from gaining access to this data.

As we all know, one of the most important digital security steps
in protecting any data is passwords.

Tips for creating a GDPR compliant password policy

The following are some best practices to consider when creating
a strong password policy that will keep your systems safe, and get
you closer to compliance.

Use a password list to block compromised passwords

A good password needs to be difficult to hack, or guess. Today,
stolen and brute-forced credentials are the leading cause of data
breaches. To protect your data against these attacks, a password
policy should ban common and breached passwords.

Thanks to password reuse, many credential-based attacks use
breached password lists from one system, to target another.
Government agencies such as NIST, and the NCSC recommend blocking
compromised and easily guessable passwords from being used
altogether. This is one of the only ways to protect accounts, even
if stronger password settings are enforced.

Don’t use secret questions

It is a common practice to set up ‘secret questions’ that can be
answered in order to unlock or reset the password on an
account.

Secret questions would be things like ‘what is your mother’s
maiden name,’ or ‘what was your school mascot.’ Since these types of questions can be vulnerable
to social engineering attacks[1], it is best to avoid
them completely.

Consider MFA

One of the best ways you can improve your password security is
to implement multi-factor authentication. This is where, in
addition to a username and password, other factors are used to
verify a user.

For example, this can be a one-time password that is generated
specifically for the user on their mobile device during
authentication.

Making GDPR compliance simple

Implementing GDPR for your non-EU business may seem like a
headache, but the compliance and additional security protections
will cover your bases from a legal and cyberattack prevention
standpoint. This article sums up the how, why, and when of GDPR
compliance[2] if you’re looking for
additional intel.

When you’re implementing a password policy for your AD with GDPR
compliance in mind it’s a good idea to use a 3-rd party tool to
help your password policy reach your entire end-user directory.

My favorite is Specops Password Policy[3]
which can help you block breached and other compromised passwords
from Active Directory. During a password change in Active
Directory, this service will block and notify users if the password
they have chosen is found in a list of leaked passwords and
provides dynamic feedback for password compliance. Specops Password
Policy makes it easy to keep out vulnerable passwords and comply
with the latest password guidelines.

GDPR complianceGDPR compliance
Specops Password Policy keeps your policies
organized and easily configurable

Using a password policy tool not only helps with GDPR compliance
in preventing unauthorized access to information, it keeps your
internal AD infrastructures organized and safe. Specops Password
Policy extends the functionality of Group Policy and simplifies the
management of fine-grained password policies for a simpler approach
to password security and compliance.

Whether you’re using a password policy tool or educating
end-users manually GDPR compliance can be an asset to any security
infrastructure regardless of location, and don’t forget it’s
mandatory if you’re storing and EU citizen data.

References

  1. ^
    these
    types of questions can be vulnerable to social engineering
    attacks     (specopssoft.com)
  2. ^
    sums up
    the how, why, and when of GDPR compliance
    (termly.io)
  3. ^
    Specops
    Password Policy     (specopssoft.com)

Read more